cbcvebase.
CVE-2021-21224
published 2021-04-26

CVE-2021-21224: Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

PriorityP185high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
57.74%
99.0th percentile
Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

Affected

13 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 90.0.4430.85-190.0.4430.85-1
chromiumchromium>= 0 < 90.0.4430.85-190.0.4430.85-1
chromiumchromium>= 0 < 90.0.4430.85-190.0.4430.85-1
chromiumchromium>= 0 < 90.0.4430.85-190.0.4430.85-1
debianchromium< chromium 90.0.4430.85-1 (bookworm)chromium 90.0.4430.85-1 (bookworm)
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
googlechrome< 90.0.4430.8590.0.4430.85
googlechrome>= unspecified < 90.0.4430.8590.0.4430.85
googlechrome_chrome
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

domainmedia-seoengine[.]com
path%SYSTEM%\WmiPrvMon.exe
path%SYSTEM%\wmimon.dll
filenameWmiPrvMon.exe
filenamewmimon.dll
  • Hunt for outbound HTTPS connections to media-seoengine[.]com as a C2 indicator for the PuzzleMaker remote shell payload.
  • The CVE-2021-21224 exploit was publicly demonstrated on GitHub on April 14, 2021, targeting Chrome 90.0.4430.72 via a V8 Typer Mismatch (issue 1195777); monitor for in-the-wild use against unpatched Chrome versions prior to 90.0.4430.85.
  • ·The full RCE JavaScript exploit for CVE-2021-21224 was never recovered by Kaspersky researchers; attribution to this CVE in the PuzzleMaker attack chain is based on circumstantial timing evidence, not confirmed exploit retrieval.
  • ·The exploit was chained with EoP vulnerabilities CVE-2021-31955 and CVE-2021-31956 (patched June 8, 2021); detection of CVE-2021-21224 exploitation alone may not indicate full compromise without also checking for the kernel-level EoP stage.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.